Skip to Main Content
Forums

Database Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

Unsupported encryption type if run okinit for Kerberos enabled Oracle db

742950Dec 24 2009 — edited May 19 2010
Hello Everyone,

I have worked on Kerberos setting for Oracle db for several days, this issue is almost killing me. Can anybody help me out? Thanks.



I successfully install MIT Kerberos on a linux machine. The Kerberos is working.

I follow up the Oracle instructoins on (http://download.oracle.com/docs/cd/B28359_01/network.111/b28530/asokerb.htm#i1006510) to enable the Kerberos authentication for Oracle database;

then, when I run okinit to get initial ticket, it prompts me "unsupported encryption type" as following:


[oracle@qa-cc-lin-88 bin]$ okinit krbuser

Kerberos Utilities for Linux: Version 10.2.0.1.0 - Production on 24-DEC-2009 13:35:51

Copyright (c) 1996, 2004 Oracle. All rights reserved.

Password for krbuser@COMPOSITE.COM:
okinit: KDC has no support for encryption type

Following is the prompt in the krb5kdc.log;

Dec 24 12:08:04 qa-cc-lin-88 krb5kdc[5474](info): AS_REQ (1 etypes {1}) 10.2.0.88: CANT_FIND_CLIENT_KEY: krbuser@COMPOSITE.COM for krbtgt/COMPOSITE.COM@COMPOSITE.COM, KDC has no support for encryption type
Dec 24 13:35:54 qa-cc-lin-88 krb5kdc[5474](info): AS_REQ (1 etypes {1}) 10.2.0.88: CANT_FIND_CLIENT_KEY: krbuser@COMPOSITE.COM for krbtgt/COMPOSITE.COM@COMPOSITE.COM, KDC has no support for encryption type

I have listed the default encryptioin in my krb5.conf file as follows:

[libdefaults]
ticket_lifetime = 600
default_realm = COMPOSITE.COM
kdc_req_checksum_type = 2
checksum_type = 2
ccache_type = 4
kdc_timesync = 1
default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
dns_lookup_realm = false
dns_lookup_kdc = false

Following is the setting in sqlnet.ora

SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS, KERBEROS5)

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

SQLNET.AUTHENTICATION_KERBEROS5_SERVICE = Kerberos

SQLNET.KERBEROS5_CONF=/etc/krb5.conf
SQLNET.KERBEROS5_CONF_MIT=TRUE
SQLNET.KERBEROS5_KEYTAB=/etc/v5srvtab
SQLNET.KERBEROS5_REALMS=/etc/krb.realms

Any ideas how I can solve this issue? Thanks,

Philip Yang

Comments

mNem
Answer 
with t (vCampo1) as 
(
select 
'<?xml version="1.0" encoding="UTF-8"?>
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<S:Body>
<ns2:ConsultaEEHResponse xmlns:ns2="http://jeta.servicios.ws/">
<return>
<codigoError>6</codigoError>
<mensaje>El Banco se encuentra Inactivo para Recaudo.</mensaje>
<resultado>false</resultado>
</return>
</ns2:ConsultaEEHResponse>
</S:Body>
</S:Envelope>' 
from dual
)
select a.*
from t,
XMLTABLE(
    xmlnamespaces(
      'http://schemas.xmlsoap.org/soap/envelope/' as "S",
      'http://jeta.servicios.ws/'                 as "ns2"
    ),
     '/S:Envelope/S:Body/ns2:ConsultaEEHResponse/return'
     passing xmltype(vCampo1) 
     columns 
     codigoError varchar2(5) PATH 'codigoError',
     mensaje varchar2(200) PATH 'mensaje',
     Resultado varchar2(5) PATH 'resultado'
)a 
;
Marked as Answer by jeffreehy-JavaNet · Sep 27 2020
1 person found this helpful
jeffreehy-JavaNet

Yes. Thank you very much, I try similar way, but I missed one ")" so a got compilation error. Some time you got the answer in front of you but got blind. Appreciate your help.

1 - 2
Locked Post
New comments cannot be posted to this locked post.

Post Details

Locked on Jun 16 2010
Added on Dec 24 2009
#database-security, #database-security-general
1 comment
3,536 views